acl:orgin in ACL docs not working? #1362
Comments
|
Same on localhost. I added an solid:ACL accessDenied: checking access to <https://michielbdejong.localhost:8443/public/bookmarks.ttl> by null and origin <https://poddit.app> +3ms
But even with that, it's a 403 and the logs show: solid:ACL Using ACL https://michielbdejong.localhost:8443/public/bookmarks.ttl.acl for ./bookmarks.ttl +35ms
solid:ACL 1 direct authentications about <https://michielbdejong.localhost:8443/public/bookmarks.ttl> +1ms
solid:ACL accessDenied: checking access to <https://michielbdejong.localhost:8443/public/bookmarks.ttl> by <https://michielbdejong.localhost:8443/profile/card#me> and origin <https://poddit.app> +3ms
solid:ACL 1 direct authentications about <https://michielbdejong.localhost:8443/public/bookmarks.ttl> +1ms
solid:ACL Checking auth <https://michielbdejong.localhost:8443/public/bookmarks.ttl.acl#owner> with agent <https://michielbdejong.localhost:8443/profile/card#me> +0ms
solid:ACL Agent explicitly authenticated. +0ms
solid:ACL Origin check FAILED. Origin not trusted. +0ms
solid:ACL Check failed: Origin Unauthorized +0ms
solid:ACL accessDenied: modeURIorReasons: ["Origin Unauthorized"] +0ms
solid:ACL checking <http://www.w3.org/ns/auth/acl#Write> +0ms
solid:ACL MODE REQUIRED NOT ALLOWED: <http://www.w3.org/ns/auth/acl#Write> Denying with Origin Unauthorized +0ms
solid:ACL Write access denied to https://michielbdejong.localhost:8443/profile/card#me: 403 - Origin Unauthorized +0ms
solid:server Error page because of: [HTTPError: Origin Unauthorized] {
name: 'HTTPError',
message: 'Origin Unauthorized',
status: 403
} +0ms
solid:server Display no-permission for https://michielbdejong.localhost:8443/public/bookmarks.ttl +0ms |
|
Yeah, this looks like a bug. https://github.com/solid/acl-check/blob/master/src/acl-check.js#L154 seems to be checking for it, but for some reason this fails. |
|
The problem is that it only checks the first Authorization entry it finds. |
|
The bug is in https://github.com/solid/acl-check but leaving it here so that we don't lose track of it. |
|
Added the 'blocker' label because it's blocking our work on the launcher app. |
|
OK, semi-false alarm, you need to specify the agent in the origin entry, and not use absolute URLs on localhost, then it works: <https://michielbdejong.localhost:8443/bookmarks.ttl.acl#15743265788207925285236500494> a <http://www.w3.org/ns/auth/acl#Authorization>;
<http://www.w3.org/ns/auth/acl#accessTo> <bookmarks.ttl>;
<http://www.w3.org/ns/auth/acl#mode> <http://www.w3.org/ns/auth/acl#Read>, <http://www.w3.org/ns/auth/acl#Write>, <http://www.w3.org/ns/auth/acl#Control>;
<http://www.w3.org/ns/auth/acl#agent> <https://michielbdejong.localhost:8443/profile/card#me>.
<https://michielbdejong.localhost:8443/bookmarks.ttl.acl#157432657882009127052789542844> a <http://www.w3.org/ns/auth/acl#Authorization>;
<http://www.w3.org/ns/auth/acl#accessTo> <bookmarks.ttl>;
<http://www.w3.org/ns/auth/acl#mode> <http://www.w3.org/ns/auth/acl#Read>, <http://www.w3.org/ns/auth/acl#Write>;
<http://www.w3.org/ns/auth/acl#agent> <https://michielbdejong.localhost:8443/profile/card#me>;
<http://www.w3.org/ns/auth/acl#origin> <https://poddit.app>.
<https://michielbdejong.localhost:8443/bookmarks.ttl.acl#15743265788203481143138502367> a <http://www.w3.org/ns/auth/acl#Authorization>;
<http://www.w3.org/ns/auth/acl#accessTo> <bookmarks.ttl>;
<http://www.w3.org/ns/auth/acl#mode> <http://www.w3.org/ns/auth/acl#Read>;
<http://www.w3.org/ns/auth/acl#agentClass> <http://xmlns.com/foaf/0.1/Agent>. |
|
Thanks Michiel, that did the trick, although absolute URLs were fine: |
Vinnl
added a commit
to inrupt/launcher-exploration
that referenced
this issue
Nov 21, 2019
Apparently you still also have to indicate which WebID uses the app at a given origin, which I guess makes sense. Thanks Michiel for figuring that out: nodeSolidServer/node-solid-server#1362 (comment)
|
And just to follow up on the question we had during the stand-up: The last one <https://vincent.localhost:8443/bookmarks.ttl.acl#157433418059917080391260297578> a <http://www.w3.org/ns/auth/acl#Authorization>;
<http://www.w3.org/ns/auth/acl#accessTo> <https://vincent.localhost:8443/bookmarks.ttl>;
<http://www.w3.org/ns/auth/acl#mode> <http://www.w3.org/ns/auth/acl#Read>;
<http://www.w3.org/ns/auth/acl#agentClass> <http://xmlns.com/foaf/0.1/Agent>.works cross-origin because for public resources, the origin check is skipped, see https://github.com/solid/acl-check/blob/master/src/acl-check.js#L159 This is also clearly documented in the first bullet point of https://github.com/solid/web-access-control-spec#referring-to-origins-ie-web-apps |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Using the Sharing pane, I added poddit.app as an app that has access to https://michielbdejong.inrupt.net/bookmarks.ttl. So now I have the following ACL doc at https://michielbdejong.inrupt.net/bookmarks.ttl.acl:
I would expect poddit.app to be allowed to access https://michielbdejong.inrupt.net/bookmarks.ttl but when trying to use the app to add a bookmark, I see a 403 error in the browser console. What am I doing wrong here?
The text was updated successfully, but these errors were encountered: